Closed
Bug 717171
Opened 11 years ago
Closed 6 years ago
Crash @ js::ContextStack::currentScript
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: scoobidiver, Unassigned)
Details
(Keywords: crash, regression)
Crash Data
It's a low volume crash but there's a spike in crashes, mainly on startup, that started in 12.0a1/20120110. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cf8c9f9aeefc&tochange=c713003d3226 Signature js::ContextStack::currentScript(unsigned char**) More Reports Search UUID e0cc8410-ae67-4a4c-8627-7a4af2120110 Date Processed 2012-01-10 10:27:31.649516 Uptime 8 Last Crash 15 seconds before submission Install Age 4.4 minutes since version was first installed. Install Time 2012-01-10 18:23:22 Product Firefox Version 12.0a1 Build ID 20120110031111 Release Channel nightly OS Windows NT OS Version 6.0.6002 Service Pack 2 Build Architecture x86 Build Architecture Info AuthenticAMD family 15 model 107 stepping 1 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xfffffffffffff000 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x03d0, AdapterSubsysID: 2a5a103c, AdapterDriverVersion: 7.15.11.7521 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- EMCheckCompatibility False Frame Module Signature [Expand] Source 0 mozjs.dll js::ContextStack::currentScript js/src/vm/Stack-inl.h:676 1 mozjs.dll js_GetProperty js/src/jsobj.cpp:5488 2 mozjs.dll JSObject::getGeneric js/src/jsobjinlines.h:208 3 mozjs.dll js::Wrapper::get js/src/jswrapper.cpp:230 4 mozjs.dll js::Proxy::get js/src/jsproxy.cpp:837 5 mozjs.dll proxy_GetProperty js/src/jsproxy.cpp:1039 6 mozjs.dll JSObject::getGeneric js/src/jsobjinlines.h:205 7 mozjs.dll js::Wrapper::get js/src/jswrapper.cpp:230 8 mozjs.dll js::Proxy::get js/src/jsproxy.cpp:837 9 mozjs.dll proxy_GetProperty js/src/jsproxy.cpp:1039 10 mozjs.dll JSObject::getGeneric js/src/jsobjinlines.h:205 11 mozjs.dll js::Wrapper::get js/src/jswrapper.cpp:230 12 mozjs.dll js::CrossCompartmentWrapper::get js/src/jswrapper.cpp:600 13 mozjs.dll js::Proxy::get js/src/jsproxy.cpp:837 14 mozjs.dll js_GetProperty js/src/jsobj.cpp:5488 15 mozjs.dll JSObject::getGeneric js/src/jsobjinlines.h:208 16 mozjs.dll js::NameOperation js/src/jsinterpinlines.h:421 17 mozjs.dll js::mjit::stubs::Name js/src/methodjit/StubCalls.cpp:129 18 xul.dll xpc::WrapperFactory::PrepareForWrapping js/xpconnect/wrappers/WrapperFactory.cpp:241 19 @0x59c0207 20 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1051 21 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:1121 22 mozjs.dll js::RunScript js/src/jsinterp.cpp:472 23 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:538 24 mozjs.dll js::Invoke js/src/jsinterp.cpp:570 25 mozjs.dll js::ProxyHandler::call js/src/jsproxy.cpp:303 26 mozjs.dll js::Wrapper::call js/src/jswrapper.cpp:262 27 mozjs.dll js::CrossCompartmentWrapper::call js/src/jswrapper.cpp:715 28 mozjs.dll js::Proxy::call js/src/jsproxy.cpp:878 29 mozjs.dll proxy_Call js/src/jsproxy.cpp:1389 30 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:513 31 mozjs.dll js::Invoke js/src/jsinterp.cpp:570 32 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5455 33 xul.dll nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1528 34 xul.dll nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:611 35 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:117 36 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:144 37 xul.dll nsTraversal::TestNode content/base/src/nsTraversal.cpp:92 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AContextStack%3A%3AcurrentScript%28unsigned%20char**%29
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::ContextStack::currentScript(unsigned char**)]
|
|
Reporter | |
Comment 1•11 years ago
|
||
It's #2 top crasher in 12.0a1 over the last 3 days.
Keywords: topcrash
My nightly has been crashing since 20110110 build Thought it was the addon issue... It is working fine in Safe Mode Is there any info need to provide to better trace and fix this bug?
|
||
Comment 3•11 years ago
|
||
(In reply to Rumos Mok from comment #2) > It is working fine in Safe Mode Then it sounds like an add-on, yes. You could try and disable add-ons one by one to figure out which one is connected to this crash.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #3) > (In reply to Rumos Mok from comment #2) > > It is working fine in Safe Mode > > Then it sounds like an add-on, yes. You could try and disable add-ons one by > one to figure out which one is connected to this crash. Of course I have tried to disable all addon and re-enable them one by one I thought I have found that bad addon, so I go ahead and disable it, thought it would help solve the problem And Nightly crashes in 1 minute after restarting... Disabling remaining addon still makes my nightly crash... So I go ahead and create a new profile, install the addons that I needed, browse for a while, and... crash again Just tried on the 20110117 nightly, still crashing. https://crash-stats.mozilla.com/report/index/bp-a7128514-d4b5-46be-a114-0ce842120117 The same profile runs pretty good on nightly builds before 20110110, as well as Aurora
|
||
Comment 5•11 years ago
|
||
Safe mode also disables the JITs. Seems more likely to be what's crashing.
|
|
||
Comment 7•11 years ago
|
||
Go into about:config. Set the following two values to false and restart the browser: javascript.options.methodjit.chrome javascript.options.methodjit.content
(In reply to Ryan VanderMeulen from comment #7) > Go into about:config. Set the following two values to false and restart the > browser: > javascript.options.methodjit.chrome > javascript.options.methodjit.content Seems it has stopped the crash
(In reply to Rumos Mok from comment #8) > (In reply to Ryan VanderMeulen from comment #7) > > Go into about:config. Set the following two values to false and restart the > > browser: > > javascript.options.methodjit.chrome > > javascript.options.methodjit.content > > Seems it has stopped the crash an update: no crash if methodjit.chrome and methodjit.content is set to "false" no crash if methodjit.chrome is true and methodjit.content is set to "false" crash if methodjit.content is set to "true"
|
|
||
Comment 10•11 years ago
|
||
(In reply to Rumos Mok from comment #9) > an update: > no crash if methodjit.chrome and methodjit.content is set to "false" > no crash if methodjit.chrome is true and methodjit.content is set to "false" > crash if methodjit.content is set to "true" So that means it's probably a we page that is causing this and not our own UI - web stuff is "content", our UI is "chrome". Also, it's crashing in the JIT. I wonder if TypeInference is involved, not sure if we have that on for both chrome and content by default - I know we have it on for content at least, but it might be just on generally. Could you try with both methodjit preferences on and setting javascript.options.typeinference to false? That can help us narrow it down even more. Also, I wonder if your processor supports SSE2, as we fixed problems in development recently that had to do with non-SSE-supporting CPUs.
|
||
Comment 11•11 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #10) > (In reply to Rumos Mok from comment #9) > > an update: > > no crash if methodjit.chrome and methodjit.content is set to "false" > > no crash if methodjit.chrome is true and methodjit.content is set to "false" > > crash if methodjit.content is set to "true" > > So that means it's probably a we page that is causing this and not our own > UI - web stuff is "content", our UI is "chrome". Also, it's crashing in the > JIT. > > I wonder if TypeInference is involved, not sure if we have that on for both > chrome and content by default - I know we have it on for content at least, > but it might be just on generally. > > Could you try with both methodjit preferences on and setting > javascript.options.typeinference to false? That can help us narrow it down > even more. > > Also, I wonder if your processor supports SSE2, as we fixed problems in > development recently that had to do with non-SSE-supporting CPUs. Disabling TI still results in a crash And CPU in both my home desktop and office desktop supports SSE2
|
||
Comment 12•11 years ago
|
||
I'm not completely sure if it's the same issue, but I can reliably reproduce a crash with a signature of @ js::ContextStack::currentScript(unsigned char**) with these steps:
1) Open a new tab
2) Open the web console
3) Paste this JavaScript code into it and run it:
window.onresize = function () {console.log(getComputedStyle(document.body).width)}
4) resize the window
=> crash bp-e981ddf2-6787-40ce-a840-0c3312120123|
|
Reporter | |
Comment 13•11 years ago
|
||
(In reply to Andreas Jung from comment #12) > I'm not completely sure if it's the same issue, but I can reliably reproduce > a crash I can't reproduce it in 32-bit and 64-bit builds. Does it happen with a new profile?
|
|
||
Comment 14•11 years ago
|
||
Not reproducible in Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120123 Firefox/12.0a1 Still reproducible in Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120122 Firefox/12.0a1
|
|
Reporter | |
Comment 15•11 years ago
|
||
(In reply to Andreas Jung from comment #14) > Not reproducible in > Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120123 Firefox/12.0a1 There are no crashes in 12.0a1/20120123. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=244711942710&tochange=758005504cab
|
|
Reporter | |
Comment 16•11 years ago
|
||
Finally, there's one crash in 12.0a1/20120123: bp-6f36a020-91ec-476a-9702-4003a2120125 But it has a different stack.
|
||
Comment 17•11 years ago
|
||
We're getting the same issue when running the application we developed. Here is a couple of crash reports. https://crash-stats.mozilla.com/report/index/bp-64fa6dfd-4561-4447-90f4-2d66c2120227 https://crash-stats.mozilla.com/report/index/bp-71e0f424-a360-40a9-98bd-8279c2120222 https://crash-stats.mozilla.com/report/index/bp-78d23a8f-88bc-4155-810c-f2bf42120220 This setting is irrelevant: javascript.options.tracejit.chrome Firefox crashes if I got both this options set to True: javascript.options.tracejit.content javascript.options.typeinference If at least one of them is false, then everything is fine. It is not related to a particular computer. It occurs on Windows and on Linux. It has been introduced in Firefox v10 and is still present in v10.2, as well as in 11.b4. It doesn't occur however in today's nightly build 13.0a1 (2012-02-26) Could someone predict which release will have this fix? Is it possible to include this fix to the next release of v11 or v10.3? Thank you!
|
|
||
Comment 18•11 years ago
|
||
Sorry, I was talking about v12 alpha:12.0a1 (2012-02-26)
|
|
||
Comment 19•11 years ago
|
||
I mean it is fixed in 12.0a1 (2012-02-26), but still occurs in v10.2 and v11.b4
|
||
Comment 20•11 years ago
|
||
I see one of these in 12a2 for build id 20120228042013. I am going to leave it open for now and see what happens after the next cutover. I don't think it's a top crash anymore though.
Keywords: topcrash
|
||
Comment 21•10 years ago
|
||
no crashes starting in TB15 for fs::ContextStack::currentScript(unsigned char**) (In reply to Sheila Mooney from comment #20) > I see one of these in 12a2 for build id 20120228042013. I am going to leave > it open for now and see what happens after the next cutover. I don't think > it's a top crash anymore though. can you still reproduce?
Flags: needinfo?(rumosmok)
|
|
Reporter | |
Comment 22•10 years ago
|
||
It still happens at a low volume: * 192 crashes in 22.0 * 11 crashes in 23.0b9 More reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3AContextStack%3A%3AcurrentScript%28unsigned+char**%2C+js%3A%3AContextStack%3A%3AMaybeAllowCrossCompartment%29 https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3AContextStack%3A%3AcurrentScript%28unsigned+char**%2C+js%3A%3AContextStack%3A%3AMaybeAllowCrossCompartment%29+const
Crash Signature: [@ js::ContextStack::currentScript(unsigned char**)] → [@ js::ContextStack::currentScript(unsigned char**)]
[@ js::ContextStack::currentScript(unsigned char**, js::ContextStack::MaybeAllowCrossCompartment) ]
[@ js::ContextStack::currentScript(unsigned char**, js::ContextStack::MaybeAllowCrossCompartment) co…
OS: Windows 7 → All
Hardware: x86 → All
|
Assignee | |
Updated•9 years ago
|
Assignee: general → nobody
|
||
Updated•8 years ago
|
Crash Signature: , js::ContextStack::MaybeAllowCrossCompartment) const ] → , js::ContextStack::MaybeAllowCrossCompartment) const ]
[@ js::ContextStack::currentScript]
[@ js::ContextStack::currentScript const ]
|
|
||
Comment 23•6 years ago
|
||
no crashes for current versions, and Sheila hasn't replied
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(rumosmok)
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•